>I went over this for a while and i don't see how firefox could be adapted to >avoid this new pledge class. The other option is to move lots of code around so >that the video device is opened/configured inconditionally by the main process >before pledging (but then you'd still need the various ioctls getting buffers >etc), but that feels stupid: why would you want to open the video device if >you're not going to actually use it ?
Most privsep programs contain a process which isn't pledged. >Right now the devices are listed/opened *when* camera access is requested by >a page aiming to use the camera, ie during the process lifetime, so until >upstream decides to separate video device access in a separate process (which >isnt afaik on the radar) adding this pledge class is the only solution i see >for now. Not on the radar? I'd say that is the problem. Firefox privsep is largely lipstick on a pig. I am not blaming you. >That of course doesn't try to solve the video device access/ownership which is >a separate issue. I fear it solves no issues at all. As I said before, I am uncomfortable pushing this policy mechanism into the kernel to be used by *only one program*. Sorry, but that isn't how pledge is developed / extended.
